MAJOR SAFETY ISSUE FOUND (data-encryption related)

[Matteo Contigliozzi 0]

Hi there, I'm a premium Evernote user and I think I've ran into a major safety issue.

I was wondering if my encrypted data were safe enough, and asked myself what happens with the history of change regarding notes which contain encrypted data.

(For those who don't know, this is a premium function allowing to see earlier version of a Note, automatically created).

Well, I've found out that that through this view UNCRYPTED DATA ARE EXPOSED AND CAN BE SEEN WITH NO PASSWORD NEEDED.

This is a major issue that can compromise users' safety and needs to be addressed immediately. In the meantime, I suggest every user to store their sensitive data elsewhere, while waiting for this issue to be fixed.

 

 

[Dave Green 217]

Please report this to support.

[eric99 1,027]

5 hours ago, Matteo Contigliozzi said:

Hi there, I'm a premium Evernote user and I think I've ran into a major safety issue.

I was wondering if my encrypted data were safe enough, and asked myself what happens with the history of change regarding notes which contain encrypted data.

(For those who don't know, this is a premium function allowing to see earlier version of a Note, automatically created).

Well, I've found out that that through this view UNCRYPTED DATA ARE EXPOSED AND CAN BE SEEN WITH NO PASSWORD NEEDED.

This is a major issue that can compromise users' safety and needs to be addressed immediately. In the meantime, I suggest every user to store their sensitive data elsewhere, while waiting for this issue to be fixed.

 

 

Yeah, this has been a known problem for as long as EN exists which has been discussed several times on the forums.

There are two workarounds to prevent unencrypted history of your sensitive data:

• Encrypt first a small dummy text and then change it to the actual text
• Create and encrypt your text with disconnected network

I hope Bending Spoons will finally solve this properly

[Matteo Contigliozzi 0]

@Dave Green Thank you, Dave.  I can't find the email address. When I try to contact the support via chat, it says: "We apologize for the inconvenience. Submit a ticket via email or contact us at discussion.evernote.com" (which I did). What's the email they're referring to?

[Dave Green 217]

@Matteo Contigliozzi Noting that you are a premium user, you can use the URL https://help.evernote.com/hc/en-us/requests/new (You may have to sign in to evernote.com first).  This can be used to generate a ticket in their system.  You get an email when they reply to it (and then you can reply back), but it is tied to a created ticket.

[agsteele 2,997]

The Evernote text encryption has long been considered inadequate.  Better to encrypt in an external application.  I have used AxCrypt very successfully but it is a paid for app if you want to be able to work across devices.

Saferoom is another application that I have used and offers a free level of access and is more tightly integrated with Evernote.